At the heart of any fintech is its ability to use its customers’ data well. Several sessions at this year’s GFF centered around the power of data - its ability to drive inclusion, resilience, and innovation.
For several years, data was mildly regulated in India. The DPDP Act took several years to be passed. And the barely enforced SPDI Rules continued to govern the use of sensitive data. But in recent times, regulatory intent has been clear. DPDP aside, effective data governance is an RBI priority as well. Prominent RBI actions this year have involved concerns around data use. RBI’s action against Kotak Mahindra Bank, cancellation of two NBFC licenses, the action against Paytm Payments Bank – all involved concerns around use/ sharing of data. RBI’s regulations have also increasingly addressed data security and privacy. For instance, the Digital Lending Guidelines (DLG) set out dos and don’ts around data use and sharing by regulated entities. The master directions on cards barred co-branding partners from accessing transaction data. The draft outsourcing directions set out more details on what the RE-OSP outsourcing agreement must cover around data use.
So, to be resilient, fintechs must make data compliance and governance a priority.
A quick recap of where to start and what to do (and more writing here, here and here):
- Know yourself: Identify if you control the data (i.e. you are a data fiduciary) or you process it for someone else (i.e. data processor).
- Know your data: Identify what data you collect and why.
- Share with care: Evaluate why you need to share your customers’ data with third parties, and share with appropriate checks.
- Tell it all: Disclose everything to your customers.
The first three steps are all about getting your house in order. We hope you’ve done these by now.
Today we focus our energies on the last step – telling your users about your data practices.
Isn’t this just our privacy policy? you ask. We can see the dismissive head shakes. After all, for several years, the only people who cared about disclosures have been us lawyers.
But we think disclosures are more than a verbose treatise relegated to one webpage on your website. The DPDP Act might simply say give users a “notice”. But we think it calls for lawyers to join hands with product/tech teams and get involved in product design.
A few ideas to start with:
Privacy by design on the UI/UX
Transparency means telling users relevant information at relevant times. Which means embedding disclosures within the user interface/ user experience (UI/UX) so they make informed choices.
This means reviewing the customer journey on your platform - from app download, to a user creating an account, signing in, using the platform, to account deletion - to see precisely when to tell users what, giving them choices on the UI itself, rather than expecting them to read a long-form privacy policy. At the same time, the more text users see on the UI, the more confused they may get. And so, one must not go overboard – and avoid inundating the user with too much text and more choices than they can grasp.
For instance, a lot of text and checkboxes in one go may overwhelm a user:
But snippets of information at the right time may be more impactful:
Or breaking up the text onto different screens:
A short-form notice
Several platforms still only provide a statement to the users seeking their agreement to the terms and privacy policy. While these documents are hyperlinked and a user could click on a link to read the policy - the chances of that happening are slim. Instead, a short notice with the big headlines could provide users meaningful information on the UI itself. For instance:
For reference, fintechs would be familiar with the disclosure required to be displayed when accessing credit scores for a user on their behalf from credit bureaus, or the notice one gets while pulling an Aadhaar XML from digilocker.
Layered notices
A layered notice embedded on the platform rather than a web URL can make for better reading:
Beefing up the privacy policy
Of course, the long-form privacy policy is still a critical document. This is the only opportunity that a company gets to tell users in some detail about what data is collected, why, how it’s used, who it’s shared with, what are their choices around data, etc. And so, companies must get this right.
For instance, so far, we’ve been used to seeing separate sections that describe what information is being collected (usually categorized as information that the user provides, information that is automatically collected, and information that is collected from third parties) and how the information is being used (to provide the platform/services, for fraud prevention, customer support, etc.). But for better transparency - companies could consider mapping the data point collected against the purposes. Or describe in greater details what data is collected at which stage.
With DPDP rules around the corner, and RBI focussing increasingly on data use, fintechs that focus on a privacy conscious UI/UX and tech architecture will be better placed to absorb shocks.
(This post has been authored by the fintech team at Ikigai Law. It was originally published in the September 2024 edition of our monthly fintech newsletter FinTales.)
